On 23/03/15 09:21 PM, Christopher Browne wrote:
Someone (I don't know whom) wasn't thrilled to have their Mailman password sent to our web site via non-SSL, hence non-encrypted connection.
That... specifically is a bit of a silly concern. Standard GNU Mailman sign up instructions read: """ You may enter a privacy password below. This provides only mild security, but should prevent others from messing with your subscription. **Do not use a valuable password** as it will occasionally be emailed back to you in cleartext. """ (I believe GNU Mailman also *stores* passwords in plain text.) There's no reasonable expectation of security with a GNU Mailman password to begin with.
Which points to it being desirable to have an SSL cert. [...]
Still, SSL seems like a good idea regardless, even if it wouldn't solve any issue with Mailman.